Security News > 2023 > July > New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

The P2PInfect peer-to-peer worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.

"The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.

"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command."

The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability to obtain a foothold into Redis instances.

Another initial access vector entails the registration of a malicious cron job on the Redis host to download the malware from a remote server upon execution, a method previously observed in attacks mounted by the WatchDog cryptojacking group.

A notable trait of the botnet is its worming behavior, enabling it to expand its reach by using a list of passwords to brute-force SSH servers and attempting to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers.

News URL

https://thehackernews.com/2023/07/new-p2pinfect-worm-targets-redis.html